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(54) Secure computing device 

(57) A secure computing system (1 00) stores a pro- 
gram, preferably the real time operating system (210). 
that is encrypted with a private key. A boot ROM (135) 
on the same Integrated circuit as the data processor 
and inaccessible from outside includes an initialization 
program and a public key corresporxilng to the private 
key On initialization the boot ROM decrypts at least a 
verification portion of the program. On verification nor- 
mal operation is enabled. On non-verification, the sys- 
tem couki be disabled, or that application program could 
be disabled. A diagnostic program is stored at predeter- 
mined non-relocatable physical address in memory The 
program is made non-relocatable using a special table 
look-askJe buffer (137) having a fixed virtual address 
register (611) and a corresponding fixed physical 
address register (641). The secure computing system 



prevents unauthorized use of compressed video data 
stored In a first-in-first-out menmy buffer by encrypting 
the compressed vkJeo data stream using at least a part 
of the chip kientity number as an encryption key (703). 
The data is recalled from memory (705) and decrypted 
(706) as needed for video deconpression. The debug- 
ger/emulator tool comnrx>nly employed in program 
development is protected by a private encryption key 
used to encrypt at least verification token for the pro- 
gram. Upon each initialization of the debugger/ emula- 
tor, the secure computer system decrypts the 
verification token employing public decryption key (805) 
to indicate whetiier the program is secure or non- 
secure. 
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Description 

TECHNICAL FIELD OF THE INVENTION 

[0001] The technical field of this invention is secure 5 
computing systenis, especially computer systems that 
may execute after manufacture field provided programs 
secured to prevent the user from unauthorized use of 
selected computer services. The conr^uter system may 
also be functionally reprogrammak)le in a secure man- io 
ner. 

BACKGROUND OF THE INVENTION 

[0002] There are cun-ently many methods to deliver is 
video programming to users of television besides over 
the air broadcast Numerous service providers are 
available to supply this programming to television view- 
ers, Most of these service providers vend a hierarchy of 
services, Typically there is a basic service for a basic 20 
fee and adcfitional services available for an additional 
fee. The basic s»vices typically include the broadcast 
network programming, cable superstations, music and 
sports programming. These basic services are typically 
supported by advertizing. These basic prograntmlng 2s 
services thus operate on the same economics as over 
the air broadcast television. The additional services typ- 
ically include the so called "premium" programming 
such as sports and movies. These premium program- 
ming services are typically not advertizer supported, so 
These are perceived by the television user as higher 
value services and television users are willing to pay 
their service providers additional fees for these serv- 
ices. The service provider passes much of this addi- 
tional fee to the content providers as their compensation 35 
for supplying the programming. There may be one or 
several tiers of these premium services made available 
by the service providers. At the top of this programming 
hierarchy is pay per view programming. Pay per view 
programming typically includes music concerts and 40 
sporting events perceived as time sensitive and highly 
valuable by the television users. Pay per view may also 
include video on demand, where the television user 
requests a particular movie be supplied. This hierarchy 
of service exists for all current alternative methods of 45 
program delivery including television cable, over the air 
microwave broadcast and direct satellite television. 
[0003] Reception of such alternative programming 
services has required an additional hardware appliance 
beyond the user provided television receiver since the so 
beginning of cable television. Initially this addrtional 
hardware appliance merely translated the frequency of 
the signal from the transmission frequency to a stand- 
ard frequency used in broadcast television. Such a 
starxiard frequency is receivable by the user provided ss 
television receiver. This additional hardware appliance 
Is comnrxsnly know as a "set top box" in reference to its 
typical deployment on top of the television receiver. Cur- 



rent set top boxes handle the hierarchy of security pre- 
viously described. 

[0004] In the past these set top boxes have been fixed 
function machines. This means that the operational 
capabilities of the set top boxes were fixed upon manu- 
facture and not subject to change once installed. A per- 
son intending to connpromise the security of such a set 
top box would need substantial resources to reverse 
engineer the security protocol. Accordingly, such fixed 
function set top boxes are considered secura The 
future proposals for set top boxes places the security 
assumption in jeopardy. The set top box currently envi- 
sioned for the future would be a more capable machine. 
These set top boxes are expected to enable plural home 
entertainment options such as the prior known video 
programming options, viewing video programming 
stored on fixed media such as DVD disks. Internet 
browsing via a telephone or cable modem and playing 
video games downloaded via the modem or via a video 
data stream. Enabling the set top box to be pro- 
grammed after installation greatly complicates security. 
It wouM be useful in the art to have a secure way to ena- 
ble field r^rogramming of set top boxes without com- 
promising tfie hierarchy of vkleo programnting security. 

SUMMARY OF THE INVENTION 

[0005] The present application discloses a secure 
computing system. A program. preferat)ly the secure 
computing system real time operating system, is 
encrypted with a private key. The data processor 
includes a boot ROM on the same integrated circuit that 
is inaccessibie from outside the Integrated circuit The 
boot ROM includes the public key corresponding to the 
private key used to encrypt the program. On Initializa- 
tion the boot ROM decrypts at least a verification por- 
tion of the program. This enables verification or non- 
verification of the security of the program. The boot 
ROM may store additional public keys for verification of 
application programs following verification of the real 
time operating system. Alternatively, these additional 
public keys may be stored in the non-volatile memory. 
[0OO6] On verification of the security of the program, 
normal operation is enabled. There are several remedial 
actions that can take place on non-verification, The sys- 
tem oou\d be disabled, or in the case of non-verification 
of an application following verification of the real time 
operating system only that application program could be 
disabled. The system couki notify the system vendor of 
the security violation using the modem of the secure 
computing system. 

[0007] A diagnostic program can check the security of 
a program. The program is stored at predetermined 
pineal address in memory. Relocation of these physi- 
cal addresses where the program is stored is prevented, 
The diagnostic program is loaded and checks the pro- 
gram at the predetermined physical address against a 
standard. The diagnostic program then indicates that 
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the program is verrf ted as secure if it meets the standard 
or non-verified as secure if it does not meet the starxl- 
ard. 

[0008] The program is made non-relocatable using a 
special table look-aside buffer. The table look-aside s 
buffer has a fixed virtual address register and a plurality 
of writable virtual address registers. Each of these vir- 
tual address registers has a comparator and a oorre* 
spending physical address register. The physical 
address register corresponding to the fixed virtual io 
address register is also fixed. The fixed virtual address 
register and the fixed physical address register enconv 
pass the range of addresses where the program is 
stored. The fixed virtual address register and the fixed 
physical address register are preferably mask program- is 
mable in manufacture via a metal layer 
[0009] The fixed virtual address register and the fixed 
physical address register may be registers ostensibly 
writable via the instruction set architecture. In this case, 
attempts to write to these registers do not change their 20 
contents. In addition, it is preferable that attempts to 
write to these registers produce no faults or exceptions. 
Alternatively, the fixed virtual address register and the 
fixed physical address register may not be accessible 
via the instruction set architecture. ss 
[001 0] The disclosed embodiment of the secure com- 
puting system prevents unauthorized use of com- 
pressed video data stored in a first-in-first-out memory 
buffer in a set top box. Current video compression tech- 
niques do not compress data uniformly. For this reason 30 
a uniform conrpressed video data rate does not trans- 
late into a unifbrm decompressed video data rate. Typi- 
cal set top boxes employ off chip DRAM as a first-in- 
first-out (FIFO) buffer to prevent the decompression 
process from overf k>wing or undeif lowing. The memory 3S 
bus traffic between the data processor and the portion 
of memory used as the FIFO buffer is sut)ject to inter- 
ception and unauthorized use. 
[0011] The data processor is disposed on a single 
integrated circuit This data processor includes a chip 40 
identity read only register storing a unique chip identity 
number. This unique chip identity number is fixed during 
manufacture by for example, laser probing or selective 
activation of fuse or antifuse links in the chip identity 
register. The data processor encrypts tiie compressed 45 
video data stream using at least a part of the chip iden- 
tity number as an encryption key This encrypted data is 
stored in tiie memory area serving as ttie FIFO buffer. 
The data is recalled from memory as needed for video 
decompression. The date processor then decrypts the so 
recalled data employing at least a part of the chip kHen- 
tity number as the decryption k^. 
[0012] Using this technk^ue ttie compressed video 
data stream temporarily stored in compressed form in 
the FIFO buffer can only be read by the particular data 55 
processor having ttte unk^ue chip klentity numt)er. Since 
the chip identity number is unk^ue to that particular data 
processor the video data cannot be processed by 



another data processor, even another identical set top 
box system without breaking the code. The encryption 
and decryption is transparent to tiie user requiring only 
a small additional processing capacity within ttie data 
processor. 

[001 3] Anottier aspect of tiiis invention concerns the 
security of a computer system when used with a detxjg* 
ger/emulata tool commonly employed In program 
development Witiiout special procedures to limit the 
operation of the debugger/emulator tool, tiie security of 
the computer system would be subject to compromise. 
[0014] The disclosed embodiment of the secure com- 
puting system uses an encryption system employing a 
private encryption key and a public decryption key The 
private encryption key is used to encrypt at least a veri- 
fication token for the program. The public decryption key 
corresponding to the private encryption key is stored at 
tiie secure computing system. Upon each initialization 
of ttie debugger/emulator for thlB secure computing sys- 
tem a security screen is performed. This involved deter- 
mining if the program is secure program or a non- 
secure program. The secure computer system decrypts 
ttie verification token enrptoying public decryption key 
This decrypted verification token indicates the program 
as a secure program or a non-secure program. If the 
program is a secure program, then the debugger/ emu- 
lator is operated in a process mode. The process mode 
permits the debugger/emulator access to ttie program 
while prohibiting access to at least one security feature 
of the secure computing system. If ttie program is a 
non-secure program, ttien the debugger/emulator is 
operated in a raw mode. The raw mode permits ttie 
debugger/emulator to access all features of the secure 
computing system. 

[0015] A further security layer is used for operating 
system development intended for the secure computing 
system. Each data processor includes a unkiiue chip 
identity number staed in a read only chip kientity regis- 
ter. K ttie program is a secure program, then the debug- 
ger/emulata reads the chip kientity number. A certain 
subset of the chip kientity numbers and only this subset 
will permit the debugger/emulator to operate in the raw 
for a secure program. If the chip identity number does 
not fall within this subset then ttie debugger/emulator 
can only operate in tiie process mode. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0016] The present irivention will now be further 
desaibed by way of example, with reference to ttie 
accompanying drawings in which: 

Rgure 1 is a tUxk diagram of one embodiment of 
the disclosed secure computing system; 
Rgure 2 is an example memory map of the boot 
read only memory of the digital media processor 
illustiated in Figure 1 ; 

Rgure 3 is an example memory map of the non-vol- 
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atile memory of the set top box illustrated in Rgure 
1: 

Rgure 4 is an example memory map of the read 
write memory Illustrated in Rgure 1 ; 
Rgure 5 is a flow chart of the initial operation 
including the operating system verification of the 
digital media processor illustrated in Rgure 1 ; 
Rgure 6 is a flow chart of the process for verifica- 
tion of an application to the set top box illustrated in 
Rgure 1; 

Figure 7 is a flow chart of the process of verification 
of a downloaded application program; 
Rgure 8 is a schematic diagram of a translation 
look aside buffer preventing virtual m&nory reloca- 
tion of a certain page of memory of the digital 
media processor of Rgure 1 ; 
Rgure 9 is a flow chart of the process of encrypting 
and decrypting compressed video data temporarily 
stored in random access memory; and 
Rgure 10 is a flow chart of the process of nrxxle 
selection in a hardware debugger/emulator. 

DETAILED DESCRIPTION OF PREFERRED EMBOD- 
IMENTS 

[001 7] The set top box of the future will enable home 
entertainment options such as the known video pro- 
gramming options, viewing video programming stored 
on fixed media such as digital vkjeo disks (DVD), Inter- 
net browsing via a telephone or cable modem and play- 
ing video games downloaded via the mod&n or via a 
video data stream. Such a variety of capability can only 
be provided by a fully programmable data processor 
which can receive and run downloaded programs. This 
opens up a host of security issues. Since much of the 
utility of the system depends on being able to download 
various applications, the possibility also exists for an 
unauthorized application being downloaded. Such an 
unauthorized application may be deliberately written to 
compromise the hierarchy of security. 
[001 8] Fully programmable set top boxes are vulnera- 
ble to three main types of attacks. An unauthorized 
application may interact with the operating system, pos- 
sibly bypassing security. The set top box non-volatile 
memory may be replaced with modified r^ident appli- 
cations, txrt with the original operating system. The non- 
volatile memory may be replaced with a new operating 
system. The most important item to protect is the oper- 
ating system. H the operating system is compromised, 
an unautiiorized person can do almost anything, includ- 
ing disguising the fact that the operating system is com- 
promised. 

[0019] Figure 1 illustrates in schematic form the parts 
of a versatile, programmable set top box system 100. 
Set top box syston 1 00 is responsive to inputs from: tel- 
evision cable 101 ; direct satellite receiver front end 103, 
digital video disk (DVD) 105; an ordinary telephone line 
107; and infrared remote control 109. These inputs are 



conventional and need not be more fully descn*bed 
here. Any interaction of these conventional inputs with 
tiie parts of the disclosed embodiment of the secure 
computing system will be more fully described below. 

5 [0020] Thecentralpartof set top box system 100 is 
the set top box 1 10. Set top box 1 10 includes various 
interfaces for the inputs including: video analog-to-dig- 
ital (bnverter 111 connected to the television cable 101, 
which may optionally include a cable modem; video 

70 analog-to-digital converter 1 1 3 connected to direct sat- 
ellite receiver front end 103; a DVD driver 115 capable 
of receiving and reading DVD 105; voice band modem 
117 connected to telephone line 107; and Infrared 
receiver 119 capable of receiving the infrared signals 

15 from infrared remote control 1 09. 

[0021] Set top box 110 includes several output 
devices coupled to digital media processor 130. Video 
digital-to-analog converter 121 receives a video data 
stream from digital media processor 130 and supplies 

20 an corresponding video signal to television receiver 
151 . Typically the desired video data stream is modu- 
lated upon a carrier having a frequency which the televi- 
ston receiver 151 can normally receive. It is 
contemplated that vkieo media processor 130 in coop- 

25 eration with vkieo digital-to-analog converter 1 21 will be 
capak)le of producing a video signal in a pluraTity of for- 
mats. Upon set up of set top box system 100 the partic- 
ular format will be selected to correspond to the 
capability of the particular television receiver 151 

30 employed. Audio digital-to-analog converter 123 
receives an audio data stream from digital media proc- 
essor 130 and supplies a base band audio signal to 
audio system 153. K is contemplated that tiiis audio sig- 
nal may encompass plural audio channels (i.e. left and 

35 right channels for stereo). It is also contemplated that 
any particular video source may include plural encoded 
audio data streams such as alternative languages, 
descriptive video or other separate audio programs 
(SAP). IStote also that the audio data stream will typically 

40 also be modulated on the same canrier as the video sig- 
nal for reception and demodulation by television 
receiver 151. 

[0022] The intelligent part of set top box 1 10 is digital 
media processor 130. Digital media processor 130 is 

45 preferably emtxxiied in a single integrated circuit. Note 
that in order for set top box 110 to be fully secure as 
intended, central processing unit 131 and boot ROM 
135 must be located on the same integrated circuit. Dig- 
ital media processor 130 includes central processing 

so unit 131. Central processing unit 131 is illustrated 
generically and is not intended to limit the structure 
employed. Central processing unit preferably includes 
data processing capability for control functions required 
lor selection of operating mode, channel tuning, security 

55 functions and the like. Central processing unit preferably 
also includes digital signal processing capability for 
decompressing conpressed video and audio signals, 
decrypting encrypted video signals, converting the 
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received video to the format of the user's television 
receiver, operating as a "software" cable modem and 
voice banti modem and demodulating the signal from 
infrared remote control 109. Central processing unit 131 
may include a microprocessor and a digital signal proc- 
essa. a single data processor capable of all the neces- 
sary functions or a multiprocessor. The exact nature of 
central processing unit except for details noted below, 
is not relevant to disclosure of the present application. 

[0023] Digital media processor 130 further includes 
chip identity register 133. Chip identity register 133 is a 
programmable readable register holding an identity 
number unique to the integrated circuit embodying dig- 
ital media processor 130. This identity number is prefer- 
ably implemented as taught in U.S. Patent Application 
No. 08/813.887 entitied Circuits, Systems, and Methods 
for Uniquely Identifying a Microprocessor at the Instruc- 
tion Set Level and filed March 7. 1997. As described in 
this patent application, the unique identification code is 
formed in a read-only data register by laser probing fol- 
lowing integrated circuit test. The unique chip identity 
number may be specified via selective blowing of fuse 
or antifuse linte or other techniques. This identity 
number permits a program to verify the exact identity of 
the particular digital media processor 130 used in tiie 
set top box 110. 

[0024] Digital media processor 1 30 includes boot read 
only memory (ROM) 135. Digital media processor 130 
is consti'ucted so that central processing unit 131 
begins executing program instructions stored within 
boot ROM upon each initial application of electric 
power. An exemplary memory map of boot ROM 135 is 
illusfrated in Figure 2. Those skilled in the art will realize 
that the exact order of storage of the various parts is not 
as important as the existence of the detailed data types. 
Boot ROM 135 includes seH boot code 201. Self boot 
code 201 is the program instructions initially executed 
by central processing unit 131 upon each initial applica- 
tion of electric power to digital media processor 130. In 
addition the known processes for initializing computer 
systems, self boot code 201 also includes verification 
program code 202. Verification program code 202 will 
be further described t>elow In conjunction with Figure 5. 
Boot ROM 135 also includes a public signature keys. 
These public signature keys include real time operating 
system (RTOS) public signature key 203, first applica- 
tion put)lic signature key 205, second application public 
signature key, to the Nth application put>iic signature key 
207. These put)lic signature keys are employed in verifi- 
cation of the authorization of programs in a manner that 
will be further desaibed below. 
[0025] Digital media processor 1 30 also includes table 
look-aside buffer (TLB) 137. Table look^kJe buffer 137 
is employed to enhance security during virtual memory 
operation in a manner further described below. 
[0026] Set top box 1 1 0 includes flash (electrically pro- 
gramrnable read only memory) EPROM 141 bi-direc- 
tionally coupled to digital media processor 130. Flash 



EPROM 141 serves as the non-volatile memory for set 
top box system 100. This Is known as a non-volatile 
memory because it retains its contents when electric 
powa- is turned "OFF". Non-volatile memory is needed 

5 for the real time operating system (RTDS) and for resi- 
dent applications. Rgure 3 illustrates an ex&nplary 
memory map of flash EPROM 141. Flash EPROM 141 
includes the real time operating system (RTOS) 210. 
RTOS 210 includes program code enabling digital 

TO media processor 130 to receive and process various 
data streams as they are received. i.e. in "rear time. 
RTOS 210 also enables digital media processor 130 to 
respond to operator control via infrared renfK>te control 
109 and infrared receiver 119. RTOS 210 includes a sig- 

75 nature portion 211 whose use will t>e further described 
below. Flash EPROM 141 also includes program code 
for the first resident application 220 with its correspond- 
ing signature portion 221. Likewise, flash EPROM 141 
includes program code for the second resident applica- 

20 tion 230 and its corresponding signature portion 231 
and program code for other resident applications to the 
Mth resident application 240 and its corresponding sig- 
nature portion 241. Rash EPROM 141 optionally 
includes additional public keys including N -i- Ist public 

25 key 251. N-i- 2nd public key 253 to N + Pth public key 
255. These additional public signature keys are similar 
to the N public signature keys stored in boot ROM 135. 
Their use will be detailed below. 

[0027] Set top box 1 10 further includes dynamic ran- 

30 dom access memory (DRAM) 143 bi-directionally cou- 
pled to digital media processor 130. DRAM 143 is a 
volatile memory that serves as read^rite memory to 
temporarily store transient data during normal opera- 
tions. DRAM 143 is preferably entixxlied by synchro- 

35 nous memory employing a RAMBUS interfaca Rgure 4 
illustrates an exenplary menfK)ry map of DRAM 143. 
DRAM 143 stores the memory resident part 261 of the 
real time operating system. Depending upon the partic- 
ular status of set top box system 100 this memory resi- 

40 dent part 261 of the RTOS may differ as known in the 
art DRAM 143 stores the memory resident parts 263 of 
the cun'entiy running application a application& These 
applications may be resident applications stored in flash 
EPROM 141 or transient applications stored in ottier 

45 parts of DRAM 143. Depending upon the status of set 
top txDx system 100. there may be various applications 
running and tiieir immediately accessible parts will be 
stored in DRAM 143 for faster access than from flash 
EPROM 141. DRAM 143 also Stores transient data 265. 

so This transient data 265 includes temporary data used 
by tiie various applications as well as tiie current control 
status as controlled by ttie user via infrared renKite con- 
trol 109 and infrared receiver 119. DRAM 1 43 stores the 
program code of varfous transient applications such as 

55 first transient application 271 , second transient applica- 
tion 273 to Cnh transient application 275. Transient 
applications are those loaded via cable modem 111. 
voice band modem 117 or DVD drive 115 that are 
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intended for use only during the current session of set 
top box system ICQ. These niay include video games, 
intemet browsing and the like, These transient applica- 
tions are loaded into DRAM 143 each time they are 
used and then discarded. DRAM 143 also stores com- 5 
pressed video in a first-in-first-out (FIFO) txiffer 280. 
Video data from television cable 101. direct satellite 
receiver front end 103 arxi DVD 105 will generally be 
transmitted in compressed form. This saves transmis* 
ston bandwidth and storage space. One of the tasks of w 
digital media processor 1 30 is to decompress the video 
data. Current video compression formats (such as 
MPEG2) and all contemplated future vkleo compres- 
sion formats are non-linear. That is. the different por- 
tions off the video data stream are compressed to 15 
differing degrees. Thus a constant rate of received 
video data represents varying amounts of videa Follow- 
ing decompression, digital media processor must sup- 
ply video data in a constant rate to be viewed. 
Compressed video FIFO buffer 270 is necessary to 20 
snrKX>th out the variations in the rate of receipt This per- 
mits the decompression process to neither overflow with 
too much compressed data nor underflow with no com- 
pressed data ready for decompression. This is possible 
because the compressed video data stream represents 2$ 
a constant rate vMeo data stream that is to be viewed. 
Thus the overall average compressed vkleo data rate 
corresponds to the constant real time viewing rate. 

[0028] Rgure 5 is a flow chart 300 of an example of 
digital media processor 130 operations controlled by 30 
boot ROM 135. Upon each initial application of electric 
power to set top box system 100. digital media proces- 
sor begins executing the program stored in a predeter- 
mined location within boot ROM 135. Those portions of 
this program within boot ROM 1 35 relevant to disclosure 3S 
of the presem application are Illustrated In Figure 5. Pro- 
gram 300 first initialized digital media processor 130 
(processing block 301). This process woukJ include 
clearing registers and caches, setting the initial operat- 
ing nrxxle and the like, in a manner known in the art. Fbl- 40 
lowing initializatton of the processor, program 300 reads 
the signature portion 211 of RTOS 210 stored in flash 
EPROM 141 (ixocessing block 302). Program 300 next 
reads the RTOS public key 203 from boot ROM 135 
(processing block 303). Next program 300 verifies the 4S 
signature portion 211 of RTOS 210 (processing block 
304). in accordance with the known art of public key 
encryption such as the RSA algorithm, signature por- 
tion 21 1 is produced by operating upon all of RTOS 210 
with a seaet private signature key The original data of so 
signature portion 21 1 is recovered by a reverse process 
employing RTOS public signature key 203 stored in boot 
ROM 135. This signature verification process takes into 
account what is know as a "trap door" functioa It is a 
very difficult process to produce a particular signature 55 
portion knowing only the piMc key. A change of any 
portion of RTOS 210 is very likely to result in a change 
in the signature portion 21 1 in a manner that cannot be 



predicted from only the RTOS public signature key 203. 
Thus it is possible to detect any change in RTOS 210 
employing the signature portion 21 1 . 

[0029] Following the verification, program 300 tests 
the verified signature portion to determine if RTOS 210 
supports secure applications (decision block 305). The 
preferred embodimerrt of the secure computing system 
of the present application contemplates that digital 
media processor 1 30 could be entxxJied in applications 
not requiring the security of set top boxes. In such appli- 
cations, the verified signature portion 21 1 indicates that 
the RTOS need not be secured. Note that even a non- 
secure RTOS must have its stub verified. Failure of the 
signature verification is fatal whether the RTOS is 
secure or rK)n-secure. Program 300 bypasses other 
steps and starts RTOS 210 (processing block 310) if 
this signature portion 211 indicates a non-secure use. 
This will typically involve loading at least a portion of 
RTOS 210 imo DRAM 143. It is anticipated that DRAM 
143 will allow much faster memory access than flash 
EPROM 141. Thus loading portions of RTOS 210 into 
DRAM 143 will enable faster operation. 
[D030] If the verified signature portion indicates that 
RTOS 210 is to support secure applications (decision 
block 305), then program 300 tests to determine if 
RTOS 210 can be verified as correct (decision block 
306). As descrfoed above, the trap door function of the 
private key signature with public key signature makes it 
a very difficult task to modify RTOS 210 without produc- 
ing an unpredictable nxxJification of signature portion 
211. Thus the initial program stored in boot ROM 135 
will almost certainly be able to detect unauthorized 
modificatk)n of RTOS 210. This verification of RTOS 
210 permits the vendor of set top box system 100 to be 
confident of the security of the system. 
[P031 ] H the verified signature portion is not verified as 
secure, then prograin 300 indk»tes that RTOS 210 is 
non-secure (processing block 307). Thereafter program 
300 takes remedial action (processing block 308). This 
remedial action can take many forms. At the most 
severe, this remedial action could be complete disable- 
ment of set top box 1 10. Shutting down media proces- 
sor 130 will disable set top box 110 since it Is the 
intelligence of set top box 1 10, In most secure applica- 
tions running a non-verified RTOS would be considered 
very dangerous and the only reasonable remedial 
action is disabling set top box 1 10. In a few cases a less 
severe remedial action may be appropriate. As a less 
severe remedial measure, digital media processor 130 
could be programmed to no longer interact with video 
data streams from television cable 101. direct satellite 
receiver front end 103 and/or DVD 105. This mode may 
permit running local only transient applications. The 
remedial action could include signaling the set top box 
vendor or service provider of the security violation via 
cable modem 1 1 1 or voice band modem 1 1 7. The recip- 
ient of this notification couM then determine either auto- 
matically or manually how to deal with the security 
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violation. One method of responding to such a notifica- 
tion of a security violation is to download via cable mode 
11 1 or voice fcjand niodem 11 7 an authorized copy of the 
RTOS for storage in flash EPROM 143. overwriting the 
unauthorized copy. Another method is to download a 5 
diagnostic program which will verify and determine the 
extent of the security violation. At the least severe level 
most suitable for service providers who supply only 
advertiser supported program material, is to ignore the 
security violation and permit operation of the non- 10 
secure RTOS. 

[0032] if the verified signature portion is verified as 
secure, then program 300 indicates that RTOS 210 as 
verified (processing block 309). Thereafter program 300 
starts operation of RIDS 210 (processing block 310). is 
As described above this would typically involve copying 
at least portions of RTOS 210 from flash EPROM 141 to 
DRAM 143. Following such a copying, program control 
would be transfen-ed to the RTOS copy In DRAM 143 
via a jump instruction. RTOS 210 then enables all the 20 
authorized functions of set top box system 100. 
[0033] The entire RTOS could be encrypted using the 
private key as an alternative to employing merely a sig- 
nature verification process. The steps illustrated in Fig- 
ure 5 would be similar except tliat the entire RTOS must 25 
be deaypted using the public key rather than just the 
signature portion, in this event the decrypted RTOS 
wouM be copied to a operating portton of DRAM 143 
upon verification. Thereafter program control would be 
passed to this copy of the RTOS from the boot ROM 30 
program via a jump instruction. In this case a non-veri- 
fied RTOS even if copied into the same part of DRAM 
143 will not operate. An incorrect decryption of an unau- 
thorized RTOS 210 would likely result in an inoperable 
operating system. Thus the remedial action is this case 35 
disables set top box 110. Note the use of a private key 
to encrypt and a public key to decrypt is the reverse of 
the usual private key/jpublic key system. Currently, only 
the RSA system is known to permit this reverse use. 
[0034] Rgure 6 is a fbw chart 400 of an example of 40 
digital media processor 130 operations when called to 
load and run a resklent application. Following the com- 
mand to start the resident application program 
(processing block 401). program 400 reads the oorre- 
sponcfing signature portion of the resklent application 45 
stored in flash EPROM 1 41 (processing block 402). Pro- 
gram 400 next reads the corresponding public key from 
boot ROM 135 or flash EPROM 141 (processing block 
403). As noted above in the memory maps of t)oot ROM 
1 35 and flash EPROM 1 41 . the public keys for resident so 
application programs may be stored in boot ROM 1 35 or 
in flash EPROM 141 . Alternatively, set top box 100 may 
be constructed so that the public keys for some resident 
applications are stored in boot ROM 135 and the public 
keys fbr the remaining reskJent applications are stored 55 
In flash EPROM 141 . Next program 400 verifies the sig- 
nature portion of the resklent application (processing 
block 404). This signature verification process is the 



same as previously described in conjunction with verifi- 
cation of RTOS 210. 

[0035] Following the verification, program 400 tests 
the verified signature portion to determine if the resident 
applicat'on supports security (decision block 405). It is 
contemplated that any resident application that interacts 
with program content received from television cable 
101. direct satellite receiver front end 103 or DVD 150 
will require security. Other reskient applications may 
require security at the option of the application program 
vendor. Program 400 bypasses other steps, load ttie 
resident application into DRAM 143 and starts the appli- 
cation program (processing block 410) if tiiis signature 
portion indicates a non-secure use. 
[0036] If the verified signature portion indicates tiiat 
the resident application is to support secure applica- 
tions (decision block 405). then program 400 tests to 
determine if tfie resklent application can be verified as 
correct (decision t)lock 406). The trap door function of 
ttie private key encryption with public key deayption 
makes it a very difficult task to modify the resklent appli- 
cation program without producing an unpredictable 
modification of signature portion, thus enabling verifica- 
tion of the authorization of the resklent application. 
[P037] If the signature portion is not verified as secure, 
ttien program 400 indicates that the resklent application 
is non-secure (processing block 407). Thereafter pro- 
gram 400 takes remedial action (processing block 408). 
This remedial action could be any of ttie many forms 
described above. 

[0038] if the signature portion is verified as secure, 
then program 400 indicates tiiat tine resklent application 
as verified (processing block 409). Thereafter program 
400 starts the resklent application by transferring at 
least part of its program code to DRAM 1 43 and trans- 
ferring control via a jump instruction. It is contemplated 
tiiat resklent application programs will have access to 
less tiian all of the digital media processor functions 
accessible via RTOS 210. 

[0039] The entire resklent application coukl be 
encrypted using the private key as described above. 
The steps illustrated in Rgure 6 would be ^nular except 
that the entire resklent application must be decrypted 
using the public key rattier than just tiie signature por- 
tion. As previously descried, using this technque 
means that an unautiiorized program will probably 
aash and disat>le set top box 1 10. 
[0040] Rgure 7 is a flow chart 500 of an example of 
verification of a downloaded program. Following ttie 
command to start downloading an application program 
(processing block 501). program 500 downloads the 
application as stores it in DRAM 143 (processing block 
502). Then program 500 reads the corresponding sig- 
nature portion of the downtoaded application stored in 
DRAM 143 (processing biock 503). Program 500 next 
reads the corresponding public key from boot ROM 135 
or flash EPROM 141 (processing block 504). As noted 
above in tiie menfx>ry maps of boot ROM 135 and flash 



7 



13 



EP0961 193 A2 



14 



EPROM 141. the public keys for resident application 
programs may be stored in either kxx>t ROM 135 or tn 
flash EPROM 141. Next program 500 runs signature 
verification on the downloaded application program 
(processing block 505). This signature verification proc- 5 
ess is the same as previously described in conjunction 
with verification of RTOS 210, A secure application pro- 
gram will have a signature portion that permits verifica- 
tion of the entire downk)aded application program. A 
non-secure application program will have a verifiable 10 
signature stub. 

[0041] Program 500 next tests to detemnine if the sig- 
nature or signature stub has been verified (decision 
block 506). H the signature or signature stub has not 
been verified as proper, then program 500 would indi- is 
cate a security violation (processing block 507) and take 
remedial action (processing block 508). This remedial 
action couki be any of the many forms described above. 
In addition, another possible remedial action in this 
instance is to make an further attempt to download this 20 
application. Thus program 500 coM loop back to 
processing block 502 to repeat the download. This 
remecfial action wouM pemiit recovery if an authorized 
application was corrupted, such as by noise or the like, 
during download. If this option is used, it is preferable to 25 
abort this loop if after a predetermined nunri>er of signa- 
ture verification failures. 

[0042] Following successful verification of the signa- 
ture or signature stub, program 500 tests the verified 
signature portion to determine if the downloaded appli- 30 
cation supports security (decision block 509). Program 
500 bypasses other steps, stores and runs the down- 
loaded application program (processing block 512), if 
this signature portion indicates a non-secure use. Note 
that the downloaded application program may be ss 
loaded into flash EPROM 141 if it is intended to be 
another resident application or into DRAM 143 if it is 
intended to be a transient application. 
[0043] K the verified signature portk>n indicates that 
the downk)aded application program supports secure 40 
applications (decision block 509). then program 500 
tests to determine if the downloaded application can be 
verified as correct (decision block 511). The trap door 
function makes it a very difficult task to nuxfify the 
downloaded application program without producing an 45 
unpredictable modrfrcation of signature portion, thus 
enabling verification of the authorization of the down- 
loaded application program. 
[0044] If the downloaded application program is not 
verified as con-ect (decision block 510), then program so 
500 indicates that the downloaded application is non- 
secure (processing block 507). Thereafter program 500 
takes remedial actk>n (processing block 508). This 
remedial action could be any of the many forms 
described above and may indude making a further ss 
attempt to download this application program. 
[0045] If the downk)aded application is verified as cor- 
rect (decision block 510). then program 500 indicates 



the downloaded application is secure (processing block 

511) . Thereafter program 500 stores and runs the 
downloaded application program (processing block 

512) . As desaibed above, this storage will be in flash 
EPROM 141 if the application is a resident application 
or in DRAM 143 if the application Is a transient applica- 
tion. Program 500 starts the downloaded application 
program by transferring at least part of its program code 
to DRAM 143 cUid transferring control via a jump 
instruction. 

[0046] The entire downloaded application program 
could be encrypted using the private key as described 
above, The steps illustrated in Rgure 7 woukf be similar 
except that the entire downloaded application nujst be 
decrypted using the public key rather than just verifying 
tiie signature portion. As previously described, using 
this technique means that an unauthorized program will 
probably crash and disable set top box 1 10. 
[0047] This security technique relies upon the security 
of boot ROM 135. Since boot ROM 135 is located on the 
sane integrated circuit as the other parts of digital nrtedia 
processor 130 and it is a read-only, it is not subject to 
unauthorized change. Therefore the verification function 
cannot be changed to verify a unauthorized RTOS. 
Many of the security functions will be availat>le only to 
the RTOS based upon program privilege labels. Thus 
most security functions cannot be easily compromised. 
The private key used for encryption will only be known 
to the RTOS supplier, or only to the manufacturer of dig- 
ital media processor 130. In addition the public key 
needed to verify the signature or to deaypt the RTOS is 
also in the boot ROM, This prevents substitution of 
another pi^lic key in an attempt to cause digital media 
processor 130 to verify an unauthorized RTOS. Addi- 
tionally, the resident applications are also secure. The 
private keys for resident applications can be known only 
by the application owner, or by the service provkler who 
authorizes the application. 

[0048] The above private key/j^ublic key signature ver- 
ification system will protect against most security 
attacks. However, if the private key used to authenticate 
the RTOS is compromised, tiie security may be 
defeated by replacing the RTOS witii an unautiiorized 
RTOS which will still look authentic. 
[0049] The simplest way to detect a modified RTOS 
would be to check the resident RTOS against the 
authorized program. An application program, such as a 
diagnostic program, could read certain memory loca- 
tions in the RTOS to see if they contain tiie expected 
values. This may not always reveal unauthorized substi- 
tution of another RTOS. Many complex data processors 
such as wouU be used to entxxly digital media proces- 
sor 130 support virtual memory. In a virtual memory 
environment the RTOS is quite capable of virtuaiising 
itself. Thus the unauthorized RTOS would intercept the 
confirming read attempts and retum the results that the 
diagnostic application expects from a copy of the 
authaized RTOS. However, ttiis unauthorized RTDS 



8 



15 



EP0 961 193 A2 



16 



would run instead of the original RTOS consequently 
compromising security. The present application pro- 
pose a technk^ue which assures that an application can 
access a portion of menrx>ry directly without being inter- 
cepted and translated to a virtual address by the RTOS. s 

[0050] Figure 8 illustrates in block diagram form a 
translation look-aside buffer (TLB) 137 having a locked 
page in accordance with the teachings of the present 
application. Virtual memory applications translate a vir- 
tual address into a physical address. As is known in the io 
art, TLB 137 receives a virtual address on bus 601 and 
supplies a corresponding physical address on bus 602. 
A predetermined number of most significant address 
bits of the virtual address are supplied to a plurality of 
comparators 621. 623. 625 and 627. The remaining is 
least significant address bits of the virtual address on 
bus 601 are passed unchanged to the con^esponding 
bits of physical address on bus 620. Each comparator 
621, 623. 625 and 627 has a corresponding virtual 
address register 611. 613. 615 and 617, respectively. 20 
The comparators 621. 623, 625 and 627 determine if 
the predetermined number of most significant bits of the 
virtual address on bus 601 matches the contents of the 
respective registers 611, 613. 615 and 617. Each com- 
parator 621. 623, 625 and 627 supplied match indica- 2S 
tion to multiplexer 650. Multiplexer 650 supplies the 
predetermined number of most sigruf leant bits from one 
of the physical address registers 641 , 643, 645 and 647. 
The physical address register selected by multiplexer 
650 corresponds to the comparator 621, 623, 625 or 30 
627 detecting a match. These most significant physical 
address bits selected by multiplexer 650 are supplied to 
the most significant bits of the physical address on bus 
602. Thus TLB 137 substitutes a predetermined 
number of bits of a physical address for the same 3s 
number of bits of the virtual address. The number of 
possible substitutions enabled by the virtual address 
register and its corresponding comparator and physical 
address register is limited only by considerations of 
operation code space to access the registers and the 40 
amount of space occupied kxy the TLB. In the prior art 
virtual address registers 611. 613. 615 and 617 and 
physical address registers 641, 643. 645 and 647 are 
aiterat)le via software. Thus the real time operating sys- 
tem has control of the mapping of virtual addresses to 45 
physical addresses. 

[0051 ] In the preferred embodiments of the disclosed 
secure computing system one of the virtual address 
registers and the corresponding physical address regis- 
ter are fixed upon manufacture. In the prefenred embod- so 
tment this pair of registers are mask programmable at 
metal layers, permitting the locked page to be selected 
upon manufetcture of the integrated circuit including TLB 
137 but unalterable fbllowing manufacture. Figure 8 
illustrates a fixed virtual address register 611 and its ss 
corresponding fixed physical address register 641. In 
the preferred embodiment the virtual address stored in 
fixed virtual address register 621 equals the physical 



address stored in fixed physical address register 641 . In 
the prefenred embocf ment the aitical code to be pro- 
tected from relocation will be stored in flash EPROM 
141 within the boundary of physical addresses covered 
by this virtual address register. Attenpts to write to 
either fixed virtual address register 61 1 or fixed physical 
address register 641 will fail because ttiese registers 
are fixed in hardware. Preferably there will be no faults 
or errors generated by an attempt to nxxlify these regis- 
ters. Alternatively, neither the fixed virtual address reg- 
ister 61 1 nor the fixed physical address register 641 are 
accessible via the instruction set architecture. Since the 
reason that fixed virtual address register 61 1 or fixed 
physical address register 641 are fixed is to prevent 
alteration, no access via the instruction set architecture 
would ever be required. 

[0052] A furttier feature of the disclosed embodiment 
of the present application is illustrated in Figure 8. Note 
tiiat the match indication from comparator 621 is sup- 
plied directiy to multiplexer 650. The match indication 
from other comparators form the noninverting irput to 
respective AND gates 633, 635 and 637. Each of these 
AND gates 633, 635 and 637 receives the match indk»- 
tion from comparator 621 on an inverting input. Thus a 
match indication from comparator 621 prevents supply 
of a match indication to multiplexer 650 from any other 
comparator. This prevents an unauthorized person from 
leaving the original RTOS in place to resporxf to security 
queries while attempting to run an unauthorized RIDS 
from a relocated part of menx>ry. Any memory accesses 
to the physical memory addresses of virtual address 
register 611 and physical address register 641 cannot 
be relocated but are directed to the physical address of 
the original RTOS. 

[0053] With the disclosed embodiment of the present 
application an unauthorized attempt to relocate the 
RTOS may occur, but no actual address translation will 
take place. Thus if the original RTOS is always located 
in this memory area, a diagnostic program can read sig- 
nature locations with assurance ttiat the original physi- 
cal locations are toeing accessed. Thus the diagnostic 
program can deto-mine if the RTOS is confrpromtsed. 
and take appropriate remedial action. This remedial 
action may include any of the remedial actions previ- 
ously described. 

[0054] The set top tx)x 100 illustrated in Figure 1 
includes an additional potential security problem. 
DRAM 143 stores a video data stream that has been 
decrypted txit not decompressed. This video data is 
stored in compressed video FIFO buffer 280. It is possi- 
ble for an unauthorized person to intercept this data as 
it is being transferred from digital media processor 130 
to DRAM 143 a as it is being transfen-ed from DRAM 
143 and digital media processor 130. These data trans- 
fers will be interleaved wHh other data traffic between 
digital media processor 130 and DRAM 143. but tt Is 
feasit)le to separate the compressed video data. 
Because the video is compressed, a minimal amount of 



9 



17 



EP0961 193 A2 



18 



memory would be required to store this data. Some 
content providers would like to prevent their video pro- 
gramming from such interception. Note that interception 
of the video data stream at this point would permit gen- 
eration of plural, identical and immediately viewatsle 5 
copies of the videa 

[0055] Rgure 9 illustrates in flow chart form a process 
presenting such unauthorized interception. Following 
reception of the video data stream (processing block 
701) digital media processor 130 decrypts the video w 
data stream (processing block 702). This decryption is 
subject to security procedures to ensure that the user is 
authorized to view this video data stream. Following this 
decryption of the source program, digital media proces- 
sor encrypts the video data stream again (processing is 
block 703). In this instance a relatively simple encryp- 
tion is used, such as a simplified DES algorithm. The 
encryption key is preferably derived from the chip iden- 
tity number stored in chip identity register 133. This 
encrypted data is stored in corrpressed video FIFO so 
buffer 280 (processing block 704). At the appropriate 
time, the video data is recalled from compressed video 
FIFO buffer 280 (processing block 705). The recalled 
data is decrypted using the encryption key derived from 
the chip identity number (706). This data is then ready 25 
for furttier processing (processing block 707). 
[0056] This technique has ttie advantage tiiat the 
compressed video data stream temporarily stored in 
compressed video FIFO buffer 280 can only be read by 
the particular digital media processor 130. The chip 30 
identity number is unique to that particular digital media 
processor. The video data cannot be viewed by any 
other means, even another identical set top box system 
100 without breaking the code. This is believed ade- 
quate security by most content providers. Addrtionalty. 3S 
the encryption and decryption is transparent to ttie user. 
There only needs to be a small additional processing 
capacity available within digital media processor 130 
beyond the minimal requirement of the particular appli- 
cation. 40 
[0057] Another potential security problem is aeated 
by tfie hardware debugger/ emulator. The semiconduc- 
tor manufacturer of digital media processor 130 will 
generally also sell hardware debugger/emulator sys- 
tems to application program developers, inducing oper- 45 
ating system developers. Generally such hardware 
debugger/emulator systems by design have unlimited 
access to all of memory, including "private" areas. Thus 
a hardware debugger/emulator system of the type 
known in the art would permit unauthorized breach of so 
the security of set top box system 100. 
[0058] The following modification to the hardware 
debugger/emulator system will guard against this 
potential security problem. The hardware debug- 
ger/emulator will operate in two modes, a process mode 6$ 
and a raw mode. In the process mode, the hardware 
debugger/emulator may only access a particular proc- 
ess or application program. All system access is permit- 



ted in the raw mode, 

[0059] Rgure 1 0 is a flow chart illustrating tiie process 
of selecting the mode at the hardware debugger/emula- 
tor. Upon start of ttie hardware delxigger/ emulator 
(processing block 801). process 800 reads the signa- 
ture portion 211 of RTOS 210 stored in flash EPROM 
141 (processing block 802). Process 800 next reads ttie 
RTOS pubfic key 203 from boot EPROM 135 (process- 
ing block 803). Next process 800 verifies ttie signature 
portion 211 of RTOS 210 (processing block 804). Fol- 
lowing ttie verification, process 800 tests ttie verified 
signature portion to detennine if RTOS 210 supports 
secure applications (decision block 805). As previously 
descr&ed. digital media processor 130 could be 
embodied in applications not requiring the security of 
set top boxes. In such applications, the verified signa- 
ture portion 21 1 indicates that ttie RTOS need not be 
secured. If this is ttie case, ttien process 800 bypasses 
other steps activates the hardware debugger/emulator 
in raw mode (processing block 806). 
[0060] If the RTOS supports secure applications 
(decision bkx:k 805). then process 800 checks to deter- 
mine if the chip identity number staed in chip identity 
register 133 is of ttie sut)set of possible chip identity 
numbers that permit the raw mode for secure applica- 
tions (decision block 807). Some program developers, 
particulariy RTOS developers, will need access to ttie 
raw mode of the hardware debugger/emulator. The 
present application contemplates that a bit or bits or 
some subset of the possible coding of ttie chip identity 
number will be reserved for hardware debugger/emula- 
tors supporting this use. Thus only a certain limited 
number of the digital media processors 130 will permit 
raw mode operation of the hardware debugger/emulator 
in environments supporting the security described 
above, The manufacturer of digital media processor 130 
will supply these particulariy identified chips only to 
trusted program developers. 
[0061 ] if the chip identity number does not permit raw 
mode operation (decision block 807), process 800 
reads a token from ttie particular process or application 
program under development in ttie hardware debug- 
ger/emulator. Process 800 ttien detennines if ttiis token 
is verified as proper (decision block 809). This process 
couM take place using the private key encryption and 
public key decryption described above, or another veri- 
fication procedure could be employed. If the token Is not 
verified (decision block 809). ttien process 800 take 
appropriate remedial action (processing block 810). The 
various types of remedial action that ooukJ be taken 
have already been descried, If the token is verified 
(decision block 809), ttien process 800 activates the 
hardware debugger/emulata in process mode 
(processing block 81 1). In the process mode, ttie hard- 
ware debugger/emulator may only access a particular 
process or application program corresponcfing to the 
verified token. 

[0062] This process satisfies all ttie requirements of 
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. the users. Program developers who use digital media 
processor 130 is non-secure application will have com- 
plete access to the functions of the hardware debug- 
ger/emulator. Program developers who use digital 
media processor 130 is secure applications will have 
access limited. Most of those program developers will 
use the secure RTOS and have access only to their own 
prograns as identified by the token encrypted with their 
corresponding private k^. RTOS developers will have 
complete system access but only to particular cfigital 
media processors having the proper ch^ Identity nunv 
bers. Thus the manufacturer of digital media processor 
130 can have the proper level of control in order protect 
the security of set top box systems 100. 
[0063] The exemplary embodiments of this patent 
application have been described In conjunction with a 
particular type system requiring computer security, i.e. 
the set top box Those skilled in the art woukJ realize 
that the use of these security techniques are not limited 
to this example. Particularly, almost any computer sys- 
tem requiring that some functions have a degree of 
security may empk>y these techniques. 

Claims 

1 . A secure computing system comprising : 

a non-volatile memory for storing program 
code for at least one program, said program 
code including a verification code encrypted 
with a predetermined private key; 
a data processor for data manipulation under 
program control disposed on an integrated cir- 
cuit said data processor executing a program 
stored at a predetermined address upon each 
initial application of electric power; 
a read only memory disposed on said inte- 
grated circuit for storing a public key corre- 
sponding to said predetermined private key 
and for storing an initializatk>n program staed 
beginning at said predetermined address, said 
initialization program including instructions for 
causing said data processor to employ said 
public key to decrypt said verification code of 
saki at least one program stored in saki non- 
volatile memory, said initialisation program fur- 
ther including instructk)ns for causing said data 
processor to Indicate verification of security of 
saki program or non-verification of security of 
sakJ program. 

2. The secure computing system of daim 1. wherein 
sakJ at least one program stored in saki non-volatile 
memory oomprtees a real time operating system for 
sakJ secure conrputing system. 

3. The secure computing system of daim 2. wherein 
sakJ at least one program stored in sakJ non-volatile 



memory indudes an application program for coop- 
erating with said real time operating system, saki 
application program including a second verification 
code encrypted with a predetermined second pri- 
5 vate key; 

sakJ read only memory further being arranged 
for storing a second public key oon^esponding 
to said predetermined second private key, and 

10 sakJ tnitiaiization program further induding 

instructions for causing saki data processor to 
employ said second public key to decrypt saki 
second verification code of said application 
program stored in said non-volatile memory, 

IS and to indicate verification of security of sakJ 

application program or non-verification of secu- 
rity of said application program. 

4. The secure computing system of daim 1 , wherein 
20 said at least one program stored in said non-volatile 

memory includes a real time operating system for 
said secure computing system and a plurality of 
applicatk>n programs for cooperating witii saU real 
time operating system, each of saki application pro- 
25 grams including a corresponding verification code 
encrypted with a predetermined private key; 

saki read only memory being arranged for stor- 
ing a public key corresponding to each of saki 

30 predetermined private keys, and saki initializa- 

tion program further including instructions for 
causing saki data processor to employ saki 
corresponding public key to decrypt saki verifi- 
cation code of each of saki plurality of applica- 

3s tion programs stored in saki non-volatile 

menrK>ry, and to indicate verification of security 
of each of said plurality of application prograns 
or non-verification of security of each of saki 
application programs. 

40 

5. The secure computing system of any of daims 1 to 
4, wherein sad inrtialization program stored in saki 
read only memory indudes instructions for causing 
said data processor to disable operation of saki 

45 program upon non-verification of security of saki 
program stored in saki non-volatile memory. 

6. A secure conrputing system comprising: 

so a memory for storing data and/or instructions at 

corresponding addresses; 
an address generator for generating virtual 
addresses of a first predetermtined number of 
bits for accessing data and/or instructions in 

55 sakJ memory; 

a table look-askie buffer connected to saki 
address generator having a fixed virtual 
address register of a second predetermined 
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number of bits less than said first predeter- 
inined number of bits, 

a plurality of writable virtual address regis- 
ters of said second predetermined number $ 
of bits. 

a first comparator connected to said 
address generator and said fixed virtual 
address register for comparing the con- 
tents of said first fixed address register io 
with said second predetermined number of 
bits of said virtual address and indicating a 
match, 

a plurality of second comparators, each 
connected to a corresponding virtual is 
address register and said address genera- 
tor, each for comparing the contents of 
said corresponding virtual address register 
with said second predetermined number of 
bits of said virtual address and indicating a 20 
match. 

a fixed physical address register of said 
second predetermined number of bits, 
a plurality of writable physical address reg- 
isters of said second predetermined 25 
number of bits, and 

a multiplexer connected to said memory, 
said address generator, said first compara- 
tor, each of said second comparators, said 
fixed physical address register and each of 30 
said plurality of writable physical address 
registers, said multiplexer responsive to a 
match by one of said comparators to sub- 
stitute contents of a physical register corre- 
sponding to said matching comparator for 3S 
most significant bits of said virtual address 
and thereby form a physical address sup- 
plied to said memory fbr memory access. 

7. Thesecurecomputingsystemof claim 6. wherein: 40 

said nnjitiplexer is responsive to an indication 
of a match by said first comparator to substitute 
the contents of said fixed physical register fbr 
most significant bits of said virtual address. 4s 

8. The secure computing system of claim 6 or daim 7, 
wherein said fixed virtual address register and said 
fixed physical address register are mask program- 
mable in manufacture. so 

9. The secure computing system of any of claims 6 to 
8, wherein said plurality of writable virtual address 
registers and said plurality of writable physical 
address registers are writable upon execution of an 55 
instruction by said secure computing system; 

said fixed virtual address register and said 



fixed physical address register writable upon 
execution of an instruction by said secure com- 
puting system, an attempt to write to either said 
fixed virtual address register or said fixed phys- 
ical address register via said instruction being 
arranged to fail to after contents of said register 
and to generate no error message or fault 

10. A secure computing system oonprising: 

a data processor disposed on a single inte- 
grated circuit said data processor including a 
chip identity read only register for storing a 
unique chip identity number: 
a memory bi-directionally coupled to said data 
processor for storing data; 
said data processor being programmed to: 

(i) encrypt data employing at least a part of 
said chip identity number as an encryption 
key, 

(ii) store sakl enaypted data in said mem- 
ory, 

(iii}recall said stored data from said mem- 
ory, and 

(iv) decrypt said recalled data employing at 
least a part of said chip identity nuni>er as 
decryption key. 

1 1 . The secure computing system of claim 1 0, wherein: 

said data comprises a stream of video data. 

12. A method of secure computing comprising the 
steps of: 

encrypting a verification token for a program 
with private key; 

storing a public key corresponding to said pri- 
vate key; 

upon each initialization of a debugger/emulator 
fbr a secure computing system determining if 
said program is secure program or a non- 
secure program. 

if said program Is a non-secure program select- 
ing a first operating nxide in said debug- 
ger/emulator permitting access to said program 
while prohibiting access to at least one security 
feature of the secure computing system, arv:! 
if said program is a secure program selecting a 
second operating mode in said debugger/emu- 
lator permitting access to all features of the 
secure confuting system. 

13. The method of secure computing of daim 12. fur- 
ther comprising the steps of: 

storing a unique chip identity number on a data 



12 



23 



EP0 961 193 A2 



processor within the secure computing system; 
rf said program is a secure program testing to 
determine if said unique chip identity number of 
said data processor is within a predetermined 
sut>set of possible chip identity numbers; s 
if said unique chip Identity number of said data 
processor is within said predetermined subset 
of possible chip identity numl}ers selecting said 
second operating mode in said debugger/emu- 
lator; and 10 
if said unique chip identity number of said data 
processor is not within said predeternrvned 
subset of possible chip identity numbers select- 
ing said first operating mode in said debug- 
ger/emutator. is 

14. The method of secure confuting of claim 12, fur- 
ther comprising the steps of: 
wherein said program is an operating system for a 
data processor of the secure computing system; so 

encrypting with a second private key at least a 
verification token of an application program; 
storing a second public key corresponding to 
said second private key; 2s 
deaypting said applicatton program employing 
said public key as a decryption key: 
indicating verification or non-verification of 
security of said decrypted application program; 
selecting said first operating mode in said 30 
debugger/emulator if said decrypted applica- 
tion program is verified as secure. 
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